Michael,
On 12/13/23 15:43, Michael D. Setzer II wrote:
/var/log/secure
Thank you for your reply, but /var/log is basically empty (meaning very few files located there). journald has absorbed everything and files are no longer the way to get logs from systemd-based environments.
The only thing which contains non-trivial information is /var/log/journal/* which is a bunch of binary files.
My reply below shows how you can get the stunnel-related log messages. I don't believe they are available through any traditional text-based log file.
-chris
On 13 Dec 2023 at 15:37, Christopher Schultz wrote:
Date sent: Wed, 13 Dec 2023 15:37:04 -0500 To: "'stunnel-users@stunnel.org'" stunnel-users@stunnel.org From: Christopher Schultz chris@christopherschultz.net Subject: [stunnel-users] Re: Getting logs in systemd environment patches" <stunnel-users.stunnel.org>
Carter,
On 12/13/23 14:53, cbrowne wrote:
Have you tried doing "find / -name stunnel.log -print" as root. I have found that the log file can be in a number of different locations depending on the system.
There are no files named stunnel.log on my system.
I do not have a specific setting for "output". I was expecting syslog to be used for that purpose without a specific setting. syslog=yes appears to be the default given the man page for stunnel.
But your comment got me more interested in exactly what was happening, so I tried /not/ limiting journalctl --follow to a specific service and I can see all kinds of things coming from stunnel:
Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: Found 1 ready file descriptor(s) Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=4 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=11 events=0x2001 revents=0x1 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=12 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=13 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=14 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: Service [ORU-outbound] accepted (FD=3) from ::ffff:20.204.213.204:55455 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: Service [ORU-outbound] started Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: Setting local socket options (FD=3) Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: Option TCP_NODELAY set on local socket Dec 13 20:31:00 example.com stunnel[300695]: LOG5[174806]: Service [ORU-outbound] accepted connection from ::ffff:20.204.213.204:55455 Dec 13 20:31:00 example.com stunnel[300695]: LOG6[174806]: Peer certificate required Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): before SSL initialization Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): before SSL initialization Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: Initializing application specific data for session authenticated Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: SNI: no virtual services defined Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS read client hello Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS write server hello Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS write certificate Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS write key exchange Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS write certificate request Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS state (accept): SSLv3/TLS write server done Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: Found 1 ready file descriptor(s) Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=4 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=11 events=0x2001 revents=0x1 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=12 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=13 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: FD=14 events=0x2001 revents=0x0 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[main]: Service [ORU-outbound] accepted (FD=15) from ::ffff:client.ip:44905 Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: Service [ORU-outbound] started Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: Setting local socket options (FD=15) Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: Option TCP_NODELAY set on local socket Dec 13 20:31:00 example.com stunnel[300695]: LOG5[174807]: Service [ORU-outbound] accepted connection from ::ffff:client.ip:44905 Dec 13 20:31:00 example.com stunnel[300695]: LOG6[174807]: Peer certificate required Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): before SSL initialization Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): before SSL initialization Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: Initializing application specific data for session authenticated Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: SNI: no virtual services defined Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS read client hello Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS write server hello Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS write certificate Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS write key exchange Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS write certificate request Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174807]: TLS state (accept): SSLv3/TLS write server done Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: TLS alert (read): fatal: certificate unknown Dec 13 20:31:00 example.com stunnel[300695]: LOG7[174806]: Remove session callback Dec 13 20:31:00 example.com stunnel[300695]: LOG3[174806]: SSL_accept: ssl/record/rec_layer_s3.c:1605: error:0A000416:SSL routines::sslv3 alert certificate unknown Dec 13 20:31:00 example.com stunnel[300695]: LOG5[174806]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
So this probably just comes down to either systemd/journalctl or me being stupid.
Instead of asking for the journal/log for the "unit" stunnel (i.e. journalctl -u stunnel), you need instead to ask for the "systelog identifier" called stunnel like this:
$ journalctl -t stunnel
If you use --follow you get tail -f behavior, which is nice to see what's happening in real-time.
-chris
On 12/13/2023 2:39 PM, Christopher Schultz wrote:
other systems (e.g. /var/log/seure, /var/log/auth, etc.). It appears the case that I should be able to view the journals using this command:
sudo journalctl --follow -u stunnel.service
But nothing is ever printed there.
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
+------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@guam.net mailto:msetzerii@gmail.com mailto:msetzerii@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+
On 13.12.23 21:58, Christopher Schultz wrote:
Thank you for your reply, but /var/log is basically empty (meaning very few files located there). journald has absorbed everything and files are no longer the way to get logs from systemd-based environments.
The only thing which contains non-trivial information is /var/log/journal/* which is a bunch of binary files.
My reply below shows how you can get the stunnel-related log messages. I don't believe they are available through any traditional text-based log file.
I don't know about Amazon Linux, but for Linux in general, that's not true. The "Red Hat way" (extending to Fedora, CentOS, Rocky, etc.), in particular, is to have journald pass all data to rsyslogd¹, which then deals with a) long-term plaintext file storage and b) forwarding to remote log servers, areas where journald is still not up to snuff AFAIK.
¹ Squashing the journald-ish structured data into the almost-entirely-flat olde syslog-style message format, of course.
Logically, RHELish distros still do run logrotate as well, and auditd logs directly to files in /var/log/audit/ (that it rotates itself), in spite of the OS being fully systemd based.
Kind regards,
Jochen,
On 12/13/23 16:42, Jochen Bern wrote:
On 13.12.23 21:58, Christopher Schultz wrote:
Thank you for your reply, but /var/log is basically empty (meaning very few files located there). journald has absorbed everything and files are no longer the way to get logs from systemd-based environments.
The only thing which contains non-trivial information is /var/log/journal/* which is a bunch of binary files.
My reply below shows how you can get the stunnel-related log messages. I don't believe they are available through any traditional text-based log file.
I don't know about Amazon Linux, but for Linux in general, that's not true.
Yeah, I've been using Linux since 1994 and I have to admit I'm pretty annoyed by the behavior I'm experiencing, here. It's nothing to do with stunnel and everything to do with the choices made by the journald project and the package maintainers for Amazon Linux 2023.
The "Red Hat way" (extending to Fedora, CentOS, Rocky, etc.), in particular, is to have journald pass all data to rsyslogd¹, which then deals with a) long-term plaintext file storage and b) forwarding to remote log servers, areas where journald is still not up to snuff AFAIK.
The is absolutely not happening in this environment.
¹ Squashing the journald-ish structured data into the almost-entirely-flat olde syslog-style message format, of course.
Logically, RHELish distros still do run logrotate as well, and auditd logs directly to files in /var/log/audit/ (that it rotates itself), in spite of the OS being fully systemd based.
Notably, /var/log/audit/ is one of the things that DOES exist in this environment. But /var/log is a wasteland:
$ sudo ls -1F /var/log README@ amazon/ audit/ btmp btmp-20231201 chrony/ cloud-init-output.log cloud-init.log dnf.librepo.log dnf.log dnf.rpm.log hawkey.log hawkey.log-20231203 hawkey.log-20231210 journal/ lastlog private/ sa/ sssd/ tallylog wtmp
/var/log/README says:
" You are looking for the traditional text log files in /var/log, and they are gone?
Here's an explanation on what's going on:
You are running a systemd-based OS where traditional syslog has been replaced with the Journal. The journal stores the same (and more) information as classic syslog. To make use of the journal and access the collected log data simply invoke "journalctl", which will output the logs in the identical text-based format the syslog files in /var/log used to be. For further details, please refer to journalctl(1).
Alternatively, consider installing one of the traditional syslog implementations available for your distribution, which will generate the classic log files for you. Syslog implementations such as syslog-ng or rsyslog may be installed side-by-side with the journal and will continue to function the way they always did.
Thank you!
Further reading: man:journalctl(1) man:systemd-journald.service(8) man:journald.conf(5) https://0pointer.de/blog/projects/the-journal.html "
So I guess the way to get the "Red Hat way" is to additionally install a form of syslog on top of the base system. I'm not sussed to having to do that, since I consider syslog to be one of the most basic parts of a Linux system.
I guess what I'm trying to say is "get off my lawn". :)
-chris
-
Christopher Schultz -
Jochen Bern